By Yuri Braz, CISSP, CRISC, PMP
Information Security, or cybersecurity, has become more relevant every day. One of the main reasons is because information has become the main asset of most companies. Thus, this information needs to be safeguarded or companies would not be able to create value for society and its shareholders. Large institutes, such as (ISC)², help to develop and democratize the information security field, so that today the majority of medium and large companies have an information security policy. An infosec policy is the first step towards risk governance, essential for the practice of due care and due diligence, which aim to make a reasonable effort to ensure that all efforts and investments made by the company are carried out within known and acceptable risk criteria.
In this sense, this post is a provocation in order to encourage the discussion of an extremely relevant topic, but one that is often kept in the background in companies, including large corporations: the exceptions to security policy. This means that while most companies may have an information security policy, as a rule there are exceptions that may go unnoticed, or underestimated, by risk governance.
Firstly, it is necessary to define what is (and what is not) an exception to security policy. We will define an exception here as what is excluded from the policy, a deviation from the normal. This exclusion, which is only valid for a small and specific group of people or single person, is usually performed to dispense, or loosen, the operation of a security control in order to meet a business requirement that emerged after the policy was established. In other words, a s ..
Support the originator by clicking the read the rest link below.
